![]() Waits until a user logs on and injects the Trojan loader into exe.Locates the Trojan loader file on the EFI partition and decrypts it.The patched function hooks the kernel’s PsCreateSystemThread function, which, when called for the first time, creates an additional thread that decrypts the next loader stage and launches it.Patches the function of the OS loader that transfers execution to the kernel.Once the original bootloader is located, it is loaded into memory, patched and launched. Sample contents of the \efi\microsoft\boot\en-us\ directory The decryption key is the EFI system partition GUID, which differs from one machine to another. This directory contains two more files: the Winlogon Injector and the Trojan Loader. It is stored inside the efi\microsoft\boot\en-us\ directory, with the name consisting of hexadecimal characters. When the UEFI transfers execution to the malicious loader, it first locates the original Windows Boot Manager. All machines infected with the UEFI bootkit had the Windows Boot Manager ( bootmgfw.efi) replaced with a malicious one. The full details of this research, as well as future updates on FinSpy, are available to customers of the APT reporting service through our Threat Intelligence Portal.ĭuring our research, we found a UEFI bootkit that was loading FinSpy. We will cover not only the version for Windows, but also the Linux and macOS versions, since they have a lot of internal structure and code similarities. We decided to share some of our unseen findings about the actual state of FinSpy implants. While the MBR infection has been known since at least 2014, details on the UEFI bootkit are publicly revealed in this article for the first time. Over the course of our investigation, we found out that the backdoored installers are nothing more than first stage implants that are used to download and deploy further payloads before the actual FinSpy Trojan.Īpart from the Trojanized installers, we also observed infections involving usage of a UEFI or MBR bootkit. We were unable to cluster those packages until the middle of 2019 when we found a host that served these installers among FinSpy Mobile implants for Android. While the nature of this anomaly remained unknown, we began detecting some suspicious installers of legitimate applications, backdoored with a relatively small obfuscated downloader. Since that year, we observed a decreasing detection rate of FinSpy for Windows. This version was detected and researched several times up to 2018. Historically, its Windows implant was distributed through a single-stage installer. Kaspersky has been tracking deployments of this spyware since 2011. FinSpy, also known as FinFisher or Wingbird, is an infamous surveillance toolset. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2022
Categories |